Vault Agent with Kubernetes - getting connection refused error

urmilaB4 · September 8, 2020, 6:48am

I am trying the sample example Vault Agent Auto-Auth using the kubernetes auth method. I have followed all the steps given in [Vault Agent with Kubernetes | Vault | HashiCorp Developer] but while login request getting connection refused.

I have configured K8s using below commands -

export VAULT_SA_NAME=$(sudo kubectl get sa vault-auth-k8s -n namespace1 -o jsonpath=“{.secrets[*][‘name’]}”)

export SA_JWT_TOKEN=(sudo kubectl get secret -n namespace1$VAULT_SA_NAME -o jsonpath=“{.data.token}” | base64 --decode; echo)

export SA_CA_CRT=$(sudo kubectl get secret -n namespace1$VAULT_SA_NAME -o jsonpath=“{.data[‘ca.crt’]}” | base64 --decode; echo)

export K8S_HOST=“127.0.0.1” ##Using k3s so using kubernetes host address as 127.0.0.1

curl
–header “X-Vault-Token: $VAULT_TOKEN”
–request POST
–data ‘{“type”: “kubernetes”}’
http://X.X.X.X:8200/v1/sys/auth/kubernetes

sudo kubectl exec vault-0 -n namespace1 – vault write auth/kubernetes/config
token_reviewer_jwt=“$SA_JWT_TOKEN”
kubernetes_host=“https://$K8S_HOST:8443”
kubernetes_ca_cert=“$SA_CA_CRT”

sudo kubectl exec vault-0 -n namespace1 – vault write auth/kubernetes/role/example
bound_service_account_names=vault-auth-k8s
bound_service_account_namespaces=namespace1
policies=myapp-k8svl-ro
ttl=240h

TOKEN=$(sudo kubectl get secrets -n namespace1 -o jsonpath=“{.items[?(@.metadata.annotations[‘kubernetes.io/service-account.name’]==‘vault-auth-k8s’)].data.token}”|base64 --decode)

curl --request POST --data ‘{“jwt”: "’“$TOKEN”‘", “role”: “example”}’ http://X.X.X.X:8200/v1/auth/kubernetes/login

Once we run the above command getting error (error displayed in vault-0) -
[ERROR] auth.kubernetes.auth_kubernetes_e415b64a: login unauthorized due to: Post [https://127.0.0.1:8443/apis/authentication.k8s.io/v1/tokenreviews:] dial tcp 127.0.0.1:8443: connect: connection refused

Please help if any configuration is missing or have done any wrong configurations.
Using vault port as 8200 and K8s host port as 8443

mirkop-mattr · September 8, 2020, 8:10pm

Hi, any chance you can reformat the post? It’s quite hard to read.
I have not used k3s much, but could it be that when you are in the context of your vault pod, the kubernetes api is not exposed under localhost hence you get a connection refused?

urmilaB4 · September 9, 2020, 6:38am

Hi,
Thanks for the reply. I have modified my post and hope so it is more readable now. My all pods(including Vault) are in same kubernetes node as I am doing it localy on my machine.
But if I run the following commands I am able to access K8s apis on same machine.

TOKEN=$(sudo kubectl get secrets -o jsonpath=“{.items[?(@.metadata.annotations[‘kubernetes.io/service-account.name’]==‘default’)].data.token}”|base64 --decode)

curl -X GET https://127.0.0.1:6443/apis --header “Authorization: Bearer $TOKEN” --insecure
Curl command Output:
{
“kind”: “APIGroupList”,
“apiVersion”: “v1”,
“groups”: [
{
“name”: “apiregistration.k8s.io”,
“versions”: [
{
“groupVersion”: “apiregistration.k8s.io/v1”,
“version”: “v1”
},
{
“groupVersion”: “apiregistration.k8s.io/v1beta1”,
“version”: “v1beta1”
}
], … *omitted due to long output

When I use the same url through vault then getting connection refused error.